Merge pull request #16 from devrev/jro/mask_merge_messages

devrev-jo · web-flow · commit c6ad7eda2633 · 2025-09-26T14:30:16.000+02:00
Mask detections of github token is commit messages.
diff --git a/checks/check_trufflehog.py b/checks/check_trufflehog.py
@@ -60,12 +60,21 @@ def check_trufflehog(json_path):
             if len(line) == 0:
                 continue
             finding = json.loads(line)
+            detector_name = finding["DetectorName"]
             git_info = finding["SourceMetadata"]["Data"]["Git"]
-            fn = git_info["file"]
+            fn = git_info.get("file")
             line_num = git_info["line"]
+
+            # Special handling for github tokens in commit messages:
+            if detector_name == "Github" and fn is None:
+                print(f"Skipping {detector_name} finding because detection is in commit message")
+                continue
             if is_overridden(fn, line_num, cred_overrides):
                 print(f"Skipping {fn}:{line_num} because it is in the creds.yml file")
                 continue
+            if fn is None:
+                # Clarify that the finding is in a commit message.
+                print(f"<commit message>")
             print(f"Found secret in {fn}:{line_num}")
             return False
     print("No secrets found")
diff --git a/checks/fixtures/trufflehog/merge_message/trufflehog.json b/checks/fixtures/trufflehog/merge_message/trufflehog.json
@@ -0,0 +1 @@
+{"SourceMetadata":{"Data":{"Git":{"commit":"306419ec2a79f5ddb4117185f104c80004e342b6","email":"Jan Olderdissen \u003cjo@devrev.ai\u003e","repository":"git@github.com:devrev/jano-experimental.git","timestamp":"2025-09-25 17:20:44 +0000","line":4,"repository_local_path":"."}}},"SourceID":1,"SourceType":16,"SourceName":"trufflehog - git","DetectorType":8,"DetectorName":"Github","DetectorDescription":"GitHub is a platform for version control and collaboration. Personal access tokens (PATs) can be used to access and modify repositories and other resources.","DecoderName":"PLAIN","Verified":false,"VerificationFromCache":false,"Raw":"ghp_c2cc08e5b98f8995bb8042c5adb024e46f42","RawV2":"","Redacted":"","ExtraData":{"rotation_guide":"https://howtorotate.com/docs/tutorials/github/","version":"2"},"StructuredData":null}
diff --git a/checks/test_checks.py b/checks/test_checks.py
@@ -63,6 +63,11 @@ def test_two_overrides(self):
             self.assertTrue(checks.check_trufflehog.check_trufflehog(
                 "./trufflehog.json"))
 
+    def test_merge_message(self):
+        with change_dir("checks/fixtures/trufflehog/merge_message"):
+            self.assertTrue(checks.check_trufflehog.check_trufflehog(
+                "./trufflehog.json"))
+
 class TestCommitEmails(unittest.TestCase):
     def test_good(self):
         with change_dir("checks/fixtures/emails/good"):

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	+{"SourceMetadata":{"Data":{"Git":{"commit":"306419ec2a79f5ddb4117185f104c80004e342b6","email":"Jan Olderdissen \u003c[email protected]\u003e","repository":"[email protected]:devrev/jano-experimental.git","timestamp":"2025-09-25 17:20:44 +0000","line":4,"repository_local_path":"."}}},"SourceID":1,"SourceType":16,"SourceName":"trufflehog - git","DetectorType":8,"DetectorName":"Github","DetectorDescription":"GitHub is a platform for version control and collaboration. Personal access tokens (PATs) can be used to access and modify repositories and other resources.","DecoderName":"PLAIN","Verified":false,"VerificationFromCache":false,"Raw":"ghp_c2cc08e5b98f8995bb8042c5adb024e46f42","RawV2":"","Redacted":"","ExtraData":{"rotation_guide":"https://howtorotate.com/docs/tutorials/github/","version":"2"},"StructuredData":null}